Systems and methods for managing network vulnerability scanning to avoid disruption of operations

ABSTRACT

There are provided systems and methods for managing network vulnerability scanning to avoid interference and disruption of network operations. In one form, the system includes: a network of computing devices; a network vulnerability scanner for evaluating insecurity and vulnerability of the network; a network traffic monitor for measuring the volume of network traffic at a certain time; and a scanning scheduler that includes scanning blackout events limiting operation of the scanner. Each blackout event includes an event name, a country or region for the blackout, a blackout start time and end time, and a blackout type that may include a level of the blackout and an authorization required for the network scan to proceed. In the system, a control circuit controls operation of the scanner; interrupts, delays, or cancels a network scan when the network traffic exceeds a certain threshold; and enforces blackout events according to the scanning scheduler.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. Provisional Application No.62/667,965, filed May 7, 2018, which is incorporated by reference in itsentirety herein.

TECHNICAL FIELD

This invention relates generally to scanning of computer networks, andmore particularly, to scanning computer networks to determinevulnerabilities and insecurities.

BACKGROUND

In the retail setting, computer networks are relied on for thefunctioning of retailer operations. Shopping facilities, productdistribution centers, and other retail entities rely on networks ofcomputer devices with applications running on the devices to facilitatetheir retail activities. For example, online and in-store shoppingrequires proper functioning of a retailer's computer networks in orderto enable customers to make purchases in an easy and convenient manner.In order for continued operation of the retailer's computer networks,these networks must be periodically scanned by a network vulnerabilityscanner in order to identify and neutralize potential points of thenetworks that may be insecure and subject to improper action by outsideactors. These concerns also apply to other non-retail operations, suchas, for example, air traffic control systems.

Accordingly, it is desirable to develop an approach where networkvulnerability scanning can be conducted without interference anddisruption of retailer and other operations. In some circumstances,scanning can cause networks to crash or to otherwise be improperlyaffected. Entities seek to avoid such adverse impact on their networkswhen these networks are especially needed, such as during peak times foronline and in-store shopping by customers. It is therefore desirable toapply an approach where scanning can be conducted to address networkvulnerabilities while simultaneously seeking to minimize the disruptionof networks.

BRIEF DESCRIPTION OF THE DRAWINGS

Disclosed herein are embodiments of systems, apparatuses and methodspertaining to managing network vulnerability scanning to avoidinterference and disruption of ongoing operations. This descriptionincludes drawings, wherein:

FIG. 1 is a block diagram in accordance with some embodiments;

FIG. 2 is a schematic diagram in accordance with some embodiments;

FIG. 3 is a table in accordance with some embodiments;

FIG. 4 is a portion of a screenshot in accordance with some embodiments;

FIG. 5 is a flow diagram in accordance with some embodiments; and

FIG. 6 is a schematic diagram in accordance with some embodiments.

Elements in the figures are illustrated for simplicity and clarity andhave not necessarily been drawn to scale. For example, the dimensionsand/or relative positioning of some of the elements in the figures maybe exaggerated relative to other elements to help to improveunderstanding of various embodiments of the present invention. Also,common but well-understood elements that are useful or necessary in acommercially feasible embodiment are often not depicted in order tofacilitate a less obstructed view of these various embodiments of thepresent invention. Certain actions and/or steps may be described ordepicted in a particular order of occurrence while those skilled in theart will understand that such specificity with respect to sequence isnot actually required. The terms and expressions used herein have theordinary technical meaning as is accorded to such terms and expressionsby persons skilled in the technical field as set forth above exceptwhere different specific meanings have otherwise been set forth herein.

DETAILED DESCRIPTION

Generally speaking, pursuant to various embodiments, systems,apparatuses and methods are provided herein useful for managing networkvulnerability scanning to avoid interference and disruption of networkoperations. In one form, the system comprises: a network comprising aplurality of communicatively coupled computing devices with applicationsrunning thereon; a network vulnerability scanner configured to evaluateinsecurity and vulnerability of the network to disruption by outsideactors; a network traffic monitor configured to measure the volume oftraffic being transferred across the network at a certain point in time;a scanning scheduler comprising a plurality of scanning blackout eventslimiting operation of the network vulnerability scanner, each scanningblackout event including an event name, an applicable country or regionfor the blackout, a blackout start time, a blackout end time, and ablackout type indicating at least one of: a predetermined level of theblackout in the country or region and a predetermined authorizationrequired for the network scan to proceed. The system further comprises acontrol circuit operatively coupled to the network vulnerabilityscanner, network traffic monitor, and the scanning scheduler, thecontrol circuit configured to: control operation of the networkvulnerability scanner; interrupt, delay, or cancel a network scan by thenetwork vulnerability scanner when the network traffic measured by thenetwork traffic monitor exceeds a predetermined threshold; and enforcescanning blackout events according to the scanning scheduler.

In some implementations, the network traffic monitor measures dailytraffic in one or more countries or regions; the control circuitdetermines whether the measured daily traffic in the one or morecountries or regions exceeds predetermined thresholds for those one ormore countries or regions; and the control circuit creates a scanningblackout event for those one or more countries or regions onanniversaries of the dates where the measured daily traffic exceeded thepredetermined thresholds. In some implementations, the control circuitreceives input that a network scan disrupted network operations on acertain date in a country or region; and the control circuit creates ascanning blackout event in that country or region on anniversaries ofthat certain date. In some implementations, the predetermined level of ablackout comprises one or more of: all network scans allowed, onlymanually inputted and non-recurring network scans allowed, network scansonly permitted for certain departments or portions of the network beingscanned, and all network scans blocked. In some implementations, thepredetermined level of a blackout is one selected from a group oflevels; each blackout type indicates the predetermined level of theblackout for each country or region; and each blackout type furtherrequires a predetermined authorization for the network scan to proceed,the predetermined authorization corresponding to the predetermined levelin each country or region. In some implementations, followinginterruption, delay, or cancellation of a network scan when measurednetwork traffic exceeds a predetermined threshold: the network trafficmonitor is configured to continue measuring the volume of traffic beingtransferred across the network at predetermined time intervals; and thecontrol circuit is configured to initiate a network scan when both thevolume of traffic no longer exceeds the predetermined threshold and thescanning scheduler does not indicate a blackout event. In someimplementations, the network traffic monitor is configured to measurethe volume of traffic being transferred across a network atpredetermined time intervals for a predetermined country or region; thecontrol circuit is configured to determine a rate in the change of thevolume of traffic; and the control circuit is configured to interrupt,delay, or cancel a network scan when the rate in the change of thevolume of traffic exceeds a predetermined threshold rate. In someimplementations, the network vulnerability scanner performs at least oneof the operations of accessing files, querying network ports, andperforming login actions. In some implementations, the networkvulnerability scanner is further configured to evaluate insecurity andvulnerability by: scanning nodes using login credentials on the network;performing a plurality of measurements indicating usage capacity on anode or on the network; and determining one or more of conflictingapplication operations, misconfigurations of the applications, andinternal application vulnerabilities. In some implementations, thescanning blackout events comprise one or more of peak business hours,predetermined holidays, and historical times of peak networktransactions.

In another form, there is provided a method for managing networkvulnerability scanning to avoid interference and disruption of networkoperations, the method comprising: providing a network comprising aplurality of communicatively coupled computing devices with applicationsrunning thereon; providing a network vulnerability scanner configured toevaluate insecurity and vulnerability of the network to disruption byoutside actors; providing a network traffic monitor configured tomeasure the volume of traffic being transferred across the network at acertain point in time; and creating a scanning scheduler comprising aplurality of scanning blackout events limiting operation of the networkvulnerability scanner, each scanning blackout event including an eventname, an applicable country or region for the blackout, a blackout starttime, a blackout end time, and a blackout type indicating at least oneof: a predetermined level of the blackout in the country or region and apredetermined authorization required for the network scan to proceed.The method further comprises, by a control circuit: controllingoperation of the network vulnerability scanner; interrupting, delaying,or canceling a network scan by the network vulnerability scanner whenthe network traffic measured by the network traffic monitor exceeds apredetermined threshold; and enforcing scanning blackout eventsaccording to the scanning scheduler.

Referring to FIG. 1, there is shown a system 100 for managingvulnerability scanning of a network 102 of computing devices 104. It isdesirable to conduct regular scans of network(s) 102 in order to preventimproper intrusions by outside actors, such as, for example, hacking ofthe network 102 or other sorts of unauthorized intrusions by hostileactors. In the retailer context, it has been found that care must betaken as to the timing and extent of these scans because they may reducethe speed of the network 102 or, in rare drastic circumstances, causethe network 102 to crash. So, for example, it may be desirable toconduct the scans at off-peak online and in-store sales times to avoidsales disruptions. Accordingly, the system 100 manages network scanningto minimize interference and disruption of retailer operations.

So, in one aspect, this disclosure is directed generally to thescheduling of network vulnerability scanning at off-peak times so as notto interfere with retailer operations. Network vulnerability scanning isused to determine if computers or devices within an organization arerunning software which is insecurely configured or that containsvulnerabilities. During these scans, files are accessed, network portsare queried, and a login action may occur. Although most networkvulnerability scanners have non-intrusive modes, some software doescrash when probed. This intrusion can lead to downtime and loss in salesand productivity. Without a blackout protocol, there is a greater chanceof monetary loss when performing scans that may be required forcompliance with security regulations.

In this regard, it should be understood that the computing devices mayinterface with customers, and the disruption of these devices may causeconsiderable frustration and irritation on the part of customers. Forexample, customer facing aspects of a system may include devices suchas, without limitation, self-checkout stations, point-of-saleendpoints/stations, photo kiosks, etc. In the retail setting, it isdesirable to avoid any interference with or disruption of the normaloperation of such devices, which may lead to customer annoyance andpossible loss of customers. Uptime is critical during peak usage timesand especially for such customer-facing components and devices.

Although this disclosure addresses, in part, managing networkvulnerability scanning to avoid interference and disruption of retaileroperations, it should also be understood that it also extends tonon-retail operations. Essentially, this disclosure may apply to anysubject matter where the control of scanning is useful to avoidinterference with and the disruption of ongoing operations. Onenon-retail example where this disclosure might be applied is to an airtraffic control system. It would be desirable to avoid vulnerabilityscanning during certain days and times, such as, without limitations,certain holidays and/or dates with high volume of air traffic. A secondnon-retail example is a video streaming service. Again, it would bedesirable to avoid vulnerability scanning during certain high volumeperiods of video streaming, such as, without limitation, weekends. Athird non-retail example might be applied to the military. If the statusof certain armed forces is elevated to a higher state of readiness, itwould be desirable to avoid vulnerability scanning of military systemsto make certain that such systems are not disrupted. As should beevident, there are numerous non-retail examples to which this disclosuremay be applied, and this disclosure should not be understood to belimited to the retail setting.

The system 100 includes a network 102 that includes a number/collectionof computing devices 104 communicatively coupled to the network 102 andwith applications running thereon. In some forms, the network 102 may,for example, be a store network, a product distribution center network,and a regional network including a number of stores and/or productdistribution centers. It is generally contemplated that the system 100may be simultaneously managing a large number of separate networks 102located in different countries, and scans will need to be conducted ofthese networks 102 at different times and to different extents.

The system 100 further includes a network vulnerability scanner 106 thatevaluates insecurity and vulnerability of the network 102 to disruptionby outside actors. In one form, the scanner 106 will generally probe andquery the network 102 from outside the network 102 to checkvulnerability to unauthorized access. For example, in one form, thescanner may perform such operations as attempting to access networkfiles, querying network ports, and seeking to perform login actions.Some examples of network vulnerability scanning tools and software areprovided by McAfee, Tenable, and IBM.

In another form, the network vulnerability scanner 106 may also probeand query the network from inside the network 102, and the scanner 106may also scan nodes using login credentials on the network 102. In thisform, the scanner 106 may evaluate insecurity and vulnerability by:scanning nodes using login credentials on the network 102; performingmeasurements indicating usage capacity on a node or on the network 102;and determining conflicting application operations, misconfigurations ofthe applications, and/or internal application vulnerabilities.

The system 100 also includes a network traffic monitor 108 for measuringthe volume of traffic being transferred across the network 102 at acertain point in time. It is generally contemplated that, as an initialprerequisite, a scan will not be conducted if the network 102 isexperiencing a volume of traffic above a certain threshold. In thiscircumstance, it is desirable to delay the scan so as to avoid the riskof disrupting this high network traffic. As one example, this highvolume of network traffic may represent a high volume of online browsingand sales transactions.

The network traffic monitor 108 may measure the volume of networktraffic in a variety of ways. It is generally contemplated that networktraffic can be measured using either active or passive techniques andthrough the use of any of a variety of well-known software tools. Forexample, network traffic may be measured by techniques such asrouter-based monitoring techniques, data packet capture and analysis,simple network management protocol, and/or the measurement of bandwidthuse on individual computing devices and routers. It is contemplated thata general real time estimate of the volume of network traffic will besufficient and that a precise measurement of network traffic is notrequired.

In addition, the system 100 includes a scanning scheduler 110 with anumber of scanning blackout events that limit operation of the networkvulnerability scanner 106. Each of the scanning blackout events includesan event name, an applicable country or region for the blackout, ablackout start time, and a blackout end time. Each scanning blackoutevent further includes: the level or extent of the blackout of thenetwork 102, the authorization required for a certain network scan toproceed, and possibly a combination of level of blackout and requiredauthorization. Some examples of blackout events where scans may belimited may include: peak business hours at stores in the network 102,certain holidays that may be associated with and known for high onlineand in-store sales or other high network traffic, and historical timesof peak transactions. Additional examples of and details regardingblackout events are addressed further below.

The system 100 further includes a control circuit 112 that isoperatively coupled to the network vulnerability scanner 106, networktraffic monitor 108, and the scanning scheduler 110 and that controlsthe general operation of the system 100. As described herein, thelanguage “control circuit” refers broadly to a system including anymicrocontroller, computer, or processor-based devices with processor,memory, and programmable input/output peripherals, which is generallydesigned to govern the operation of other components and devices. It isfurther understood to include common accompanying accessory devices,including memory, transceivers for communication with other componentsand devices, etc. These architectural options are well known andunderstood in the art and require no further description here. Thecontrol circuit 112 may be configured (for example, by usingcorresponding programming stored in a memory as will be well understoodby those skilled in the art) to carry out one or more of the steps,actions, and/or functions described herein.

The control circuit 112 may be coupled to a memory 114 and may becoupled to the network 102 by a network interface 116. The memory 114can, for example, store non-transitorily computer instructions thatcause the control circuit 112 to operate as described herein, when theinstructions are executed, as is well known in the art. Further, thenetwork interface 116 may enable the control circuit 112 to communicatewith other elements (both internal and external to the system 100). Thisnetwork interface 116 is well understood in the art. The networkinterface 116 can communicatively couple the control circuit 112 to thenetwork 102 being scanned and whatever other network or networks may beappropriate for the circumstances. In one form, it is contemplated thatthe control circuit 112 will access the blackout events in the scanningscheduler 110 and may access one or more databases to collect data forperforming its functions.

In the system 100, the control circuit 112 controls the operation of thenetwork vulnerability scanner 106. It interrupts, delays, or cancels anetwork scan by the scanner 106 when the network traffic measured by thenetwork traffic monitor exceeds a certain threshold. So, if the networktraffic is too high, the scan will not proceed. In addition, the controlcircuit 112 enforces the scanning blackout events according to thescanning scheduler 110. So, for example, the control circuit 112 mayallow a partial or complete scan to proceed to the extent permitted bythe scanning scheduler 110 if not completely blacked out and if therequired authorization (if any) has been provided.

FIG. 2 shows a schematic of a simple example of application of system100. In this example, the control circuit 112 inspects the blackoutevents on the scanning scheduler 110 and applies the correct time zoneof the network 102 to be scanned. Next, if the control circuit 112determines that a blackout date applies to that particular network 102(i.e., a complete blackout of scans for the entire day), the scan isdelayed until the next appropriate date without a blackout. Then, oncethe blackout date is over (and assuming the next day is not also acomplete blackout), the scan can proceed.

As another example, a scan may be rescheduled upon detection of a highvolume of network traffic, such as, for instance, may indicate a highvolume of online and in-store sales. For example, if the measuredtraffic is at 99% of saturation, a blackout may be created. If a networkscan is delayed or stopped due to high network traffic, the system 100proceeds with the scan at the next appropriate time (i.e., sufficientlylow network traffic and no scheduled blackout date). In one form,following interruption, delay, or cancellation of a network scan whenmeasured network traffic exceeds a certain threshold or limit, thenetwork traffic monitor 108 may be configured to continue measuring thevolume of traffic being transferred across the network at certain timeintervals (such as, for example, hourly or daily); and the controlcircuit 112 may be configured to initiate a network scan when both thevolume of traffic no longer exceeds the threshold/limit and the scanningscheduler 110 does not indicate a blackout event.

Alternatively, or in addition, a scan may be rescheduled upon detectionof a high rate of change of network traffic (i.e., a rapid increase innetwork traffic). So, a network scan may be delayed or stopped, when therate of change in network traffic is determined to be too high. In oneform, the network traffic monitor 108 may be configured to measure thevolume of traffic being transferred across a network at certain timeintervals for a certain country or region, the control circuit 112 maybe configured to determine or calculate a rate in the change of thevolume of traffic (based on multiple measurements over a certain timeinterval); and the control circuit 112 may be configured to interrupt,delay, or cancel a network scan when the rate in the change of thevolume of traffic exceeds a certain threshold rate.

It is generally contemplated that the blackout events may be establishedin various ways. In one form, some or all of the blackout events may beinputted manually based on certain categories or classifications likepeak business hours at retail and/or online stores, known high volumeshopping holidays (such as the Friday after Thanksgiving in the UnitedStates and the following Monday), and historical times of peaktransactions. It is also generally contemplated that the scanningscheduler 110 may be updated in a continual and iterative manner to addblackout events to the scanning scheduler 110 (and fine tune thoseevents already added).

Further, it is contemplated that blackout events may be added or revisedby an automated process. For example, the control circuit 112 may set upa recurring blackout anniversary date when it experiences a high volumeof traffic on a certain date. So, a blackout date may be set for thefollowing year. In other words, the network traffic monitor 108 maymeasure daily traffic in one or more countries or regions, the controlcircuit 112 may determine whether the measured daily traffic in the oneor more countries or regions exceeds certain thresholds or limits forthose countries or regions; and the control circuit 112 may create ascanning blackout event for those countries or regions on anniversariesof the dates where the measured daily traffic exceeded the predeterminedthresholds/limits. As another example, the control circuit 112 may setup a recurring blackout anniversary date when a disruption of operationsis reported for a certain date. In other words, the control circuit 112may receive input that a network scan disrupted operations on a certaindate in a country or region, and the control circuit 112 may create ascanning blackout event in that country or region on anniversaries ofthat date. Conversely, the network traffic monitor may measure certainhistorical periods and data when there is low network usage, andblackout events may be created to identify these time periods aspreferred times for network scans.

In other forms, blackout events may be added or revised based on amachine learning approach. For example, the system 100 may use asupervised learning approach in which it infers weights to be given toinputted factors based on several examples. Each example includes a setof inputs and a known output value (i.e., a high volume of networktraffic). A supervised learning algorithm analyzes the examples (or pastinputs and corresponding outputs) and generates an inferred function,which can be used to predict new examples (i.e., to predict an outputbased on new inputs). In this form, the supervised learning approach mayemploy a training session with illustrative examples during which inputsbased on various factors are compared to the actual output (i.e., actualvolume of network traffic vs. predicted network traffic for certaindates in certain countries/regions).

FIG. 3 shows a table 200 of different types of blackouts. It isgenerally contemplated that a scheduled blackout need not be a completeblackout but instead may be some form of partial blackout. For example,in FIG. 3, five types of blackout scans are shown along with anaccompanying description, but it should be understood that numerousother types of blackout scans are possible. In the table, the first typeof blackout type is labeled “awareness” 202. Under this blackout type,scans will generally run during this event by default. So, this blackouttype may be the lowest level of blackout such that all or most scanswill run during this event. A second type of blackout type is labeled“focus” 204. Under this blackout type, scans will generally not runduring this event by default. This blackout type may be an intermediatelevel of blackout that may be overridden by an individual with therequired degree of authorization. A third type of blackout type islabeled “lockdown” 206. Under this blackout type, all scans are to ceaseduring this event. As suggested by the label, this blackout event may bea high level of blackout such that it may not be overridden generally(or may only be overridden by an individual with a very high degree ofauthority). A fourth type of blackout level is labeled “ICE” 208. Underthis blackout type, changes have been frozen for a department, and scansare to cease during this event. In one form, this blackout may be apartial blackout that only impacts a department (or portion of a network102) and not the entire network 102. Alternatively, if changes have beenfrozen for the department, scans of the entire network 102 may cease,regardless of which network 102 now includes that department (i.e., anyaddition or change of network to include the department will notcircumvent the restriction on scanning). A fifth type of blackout typeis labeled “scan window” 210. This blackout type indicates a time periodduring which the scan can execute. This blackout may be a partialblackout that only covers a certain portion of the day (such as businesshours with high online sales or peak business) and that allows scansduring other time periods during the day.

Other examples of blackout levels and authorizations (and combinationsthereof) are available. For instance, regarding blackout levels andextent of blackouts, these levels may include levels where all networkscans are allowed, where only manually inputted and non-recurringnetwork scans are allowed, where network scans are only permitted forcertain departments or portions of the network being scanned, and whereall network scans blocked. Further, it is generally contemplated thatthese levels may stand by themselves or may be coupled to a requisitedegree of authorization. So, in one form, different degrees ofauthorizations (and/or authorization by different individuals) may berequired to proceed with a network scan for different levels ofblackouts. In other words, the predetermined level of a blackout may beselected from a group of levels, each blackout type may indicate thepredetermined level of the blackout for a country or region, and eachblackout type may further require a certain authorization for thenetwork scan to proceed with that authorization corresponding to thepredetermined level in the country or region.

FIG. 4 shows an example of a portion of a screenshot 300 withinformation for multiple blackout events. As can be seen, in thisexample there are three blackout events in two different countries: NewYear in China (302), Christmas in the United States (304), and an eventlabeled “Store Window” in the United States (306). Each of these threeevents have been assigned a different blackout type and start and endtimes. The first two events are each assigned a start date and an enddate. Because the third event is a “scan window” blackout type, itspecifies a start time (23:00 or 11:00 pm) and an end time (07:00 or7:00 am), rather than start and end dates. Each of these events are alsomarked as recurring events so that the same scanning blackout is appliedto each occurrence of these events. The user may trigger pull down menusto allow the user to access other selections of events, blackout types,countries, start and end dates, etc. In this example, the user is alsopermitted to toggle to and access other options in a window 308, suchas, without limitation, “Asset Groups” and “Network Management.” In oneform, for instance, these other options may allow switching betweendifferent networks and may allow control and management of thedepartments and computing devices included in various networks.

FIG. 5 shows a process 400 for managing network vulnerability scanningto avoid interference and disruption of ongoing operations. As addressedabove, it is generally contemplated that one or more networks arescheduled for scanning on a periodic basis to seek to prevent potentialhacking and other unauthorized intrusions on the network(s). It isdesirable to impose blackouts on this scanning at various times invarious countries and regions in order to try to minimize potentialdisruption of the network(s). It is generally contemplated that thisprocess 400 may use any of the systems or components described above.

At block 402, a network of computing devices is provided. It isgenerally contemplated that these computing devices are communicativelycoupled to the network. Further, in one form, the network provided isused in retailer operations, such as, for example, online and in-storesales of merchandise to customers. In addition, it is contemplated thatthis network will be periodically scanned to try to reduce itsvulnerabilities and insecurities to malevolent actions by outsideactors. In one form, this network may be just one of many networkscontrolled and operated by a retailer around the world, all of which mayrequire periodic network scanning.

At block 404, a network vulnerability scanner to scan the network isprovided. Any of various types of scanners may be used, includingcertain conventional vulnerability scanning tools and software createdby, for example, McAfee, Tenable, and IBM. In one form, the scanner mayinterrogate the network from outside the network, such as by seeking toaccess files, query network ports, and perform login actions. In anotherform, the scanner may also evaluate the network from inside the network,such as by scanning nodes using login credentials on the network;performing measurements indicating usage capacity on a node or on thenetwork; and determining one or more of conflicting applicationoperations, misconfigurations of the applications, and internalapplication vulnerabilities.

At block 406, a network traffic monitor is provided to measure thevolume of network traffic. In one form, as addressed further below, itis contemplated that the network traffic will be measured to make surethat the scan does not occur when there is already a high volume ofnetwork traffic. A network disruption or crash at this high volume pointin time would have a significant impact and might, as one example,prevent a large number of online and/or in-store customers from engagingin and/or completing sales transactions. Any of various network trafficmonitor tools and techniques may be used, including, without limitation,router-based monitoring techniques, data packet capture and analysis,simple network management protocol, and/or the measurement of bandwidthuse on individual computing devices and routers.

At block 408, a scanning scheduler is created that includes scanningblackout events, i.e., events when scanning is limited or prohibited.Each scanning blackout event includes: an event name, an applicablecountry or region for the blackout, a blackout start time, a blackoutend time, and a blackout type. The blackout type indicates the level ofthe blackout in the country or region (for example, the blackout mayonly be a partial blackout) and/or the authorization required for thenetwork scan to proceed. It is generally contemplated that the scanningscheduler may be continually and iteratively updated with new blackoutevents or revisions to previously scheduled blackout events.

At block 410, the operation of the network vulnerability scanner iscontrolled so that it scans network(s) when there is relatively lownetwork traffic and at the times and in the manner permitted by thescanning scheduler. At block 412, the volume of traffic in a network ismeasured at certain times. For example, it may be measured periodically,such as every hour, every day, or at some other regular interval oftime. It is generally contemplated, as an initial step, that scanningwill proceed only if the volume of network traffic is sufficiently low.If the volume of network traffic is below a certain threshold, the scanmay proceed. However, as shown at block 414, if the network trafficexceeds a certain threshold, the scan will be interrupted, delayed, orcanceled. In one form, it is contemplated that the scan may berescheduled to the next time when network traffic is below the thresholdand when there is no blackout event.

At block 416, the scanning blackout events are enforced according to thescanning scheduler. In one form, it is contemplated that the networktraffic has been determined to be of a sufficiently low volume for thescan to proceed, but the scanning scheduler still must be consulted todetermine if a blackout exists and the nature of the blackout. It iscontemplated that various types of blackouts are created, which maydetermine the extent of the blackout (such as partial or complete)and/or the authorization required for the network scan to proceed.

For example, at block 418, a partial or complete blackout may optionallybe applied according to a predetermined level of blackout for a countryor region. As described above, these blackout levels may include thefollowing examples of levels: scans will generally run during an event;scans will generally not run or will cease during an event; scans orchanges have been frozen for a department or portion of a network; scansbeing permitted only during a certain time period; or only manuallyinputted and non-recurring network scans are allowed. In addition,certain authorizations may be required for different blackout levels.Some blackout levels may require no authorization at all in order for ascan to proceed, while other levels may require authorization from anindividual in a high position of authority. At block 420, optionally, anetwork scan may be applied at a predetermined blackout level only whena predetermined authorization is provided (such as, for example,manager, supervisor, vice-president, etc.).

Referring to FIG. 6, there is shown another system 500 for controlling anetwork vulnerability scanner to try to minimize disruption of ongoingoperations. Generally, the system uses a network traffic monitor toavoid running scans during high traffic times and a scanning schedulerto avoid or limit the running of scans during blackout events. Thesystem 500 is similar to system 100 addressed above and the descriptionabove is incorporated herein. Further, the system 500 may operate inaccordance with the process 400 addressed above.

The system 500 includes a network or networks 502 of computing devices504. As shown in FIG. 6, in one form, it is contemplated that thenetwork(s) 502 may cover a number N different regions. These regions mayencompass different time zones and different countries. As should beevident, where different time zones are involved, the system 500 appliesscanning blackouts in accordance with the local time for that region. Inthis form, it is contemplated that the network(s) 502 cover operationsin different regions, such as, for example, online and in-store sales ofmerchandise to customers.

The scanning operations are performed by the asset scanning engine(s)506 (or network vulnerability scanner). It is generally contemplatedthat one or more scanning engines may be used to perform thevulnerability scanning of the network (or parts of the network) invarious regions at various times. As addressed above, variousconventional types of scanning engines and software tools may be used.In one form, the scanner may interrogate the network(s) 502 (or part ofit) from outside the network(s) 502, while in another form, the scannermay also evaluate the network(s) 502 (or parts thereof) from inside thenetwork(s) 502.

The scanning operations are controlled by a blackout type enforcer 508(or control circuit). It is generally contemplated that the enforcer 508considers both network traffic/sales and scheduled blackout events indetermining how and when network scans should run. Regarding networktraffic/sales, the system 500 includes a traffic and sales detector 510(or network traffic monitor) to determine network traffic and sales. Thetraffic and sales detector 510 may be used to conduct real timemeasurements of network traffic and sales and/or to establish long termtrends and data regarding peak sales at various regions, as shown atblock 512. The blackout type enforcer 508 may use these real timemeasurements and/or long term trend data to interrupt, delay, or cancelscans that would otherwise occur during periods of high network trafficand sales.

Regarding scheduled blackout events, a scan scheduler 514 is used tokeep track of blackout events, including the nature and type ofblackouts. As addressed above, various types of blackouts may be createdfor different regions, and these blackout types may determine the extentof the blackout (such as partial vs. complete) and/or the authorizationrequired for the network scan to proceed (or to override a scheduledblackout). The above description of some examples of blackout types,levels, and authorizations is incorporated herein, including, withoutlimitation, the examples shown and described in FIG. 3.

The scan scheduler 514 and the blackout events on the scan scheduler 514may be created and inputted in various ways. For example, they may becreated and inputted by command line interface 516, by manual input 518,or by any other suitable manner. As shown at block 520, there may alsobe a database of specific blackout events for different regions, suchas, for example, local holidays and anniversary dates of previousdisruptions to operations in a particular region. In one form, forexample, blackout events may be inputted and created consistent with thetable and data fields shown in FIG. 4.

As addressed above, it should be understood that this disclosure may beapplied to both retail and non-retail operations. As a general matter,this disclosure may be applied broadly to any subject matter where thecontrol of vulnerability scanning is useful to avoid possiblyinterfering with and disrupting ongoing network operations. Someexamples of the applicability to retail operations have been describedabove. Other examples of possible non-retail areas have also beenaddressed, including, without limitation, air traffic control systems,video streaming services, and military applications. As should beevident, there are numerous retail and non-retail examples to which thisdisclosure may be applied, and this disclosure should not be understoodto be limited to any particular setting.

Those skilled in the art will recognize that a wide variety of othermodifications, alterations, and combinations can also be made withrespect to the above described embodiments without departing from thescope of the invention, and that such modifications, alterations, andcombinations are to be viewed as being within the ambit of the inventiveconcept.

What is claimed is:
 1. A system for managing network vulnerabilityscanning to avoid interference and disruption of network operations, thesystem comprising: a network comprising a plurality of communicativelycoupled computing devices with applications running thereon; a networkvulnerability scanner configured to evaluate insecurity andvulnerability of the network to disruption by outside actors; a networktraffic monitor configured to measure the volume of traffic beingtransferred across the network at a certain point in time; a scanningscheduler comprising a plurality of scanning blackout events limitingoperation of the network vulnerability scanner, each scanning blackoutevent including an event name, an applicable country or region for theblackout, a blackout start time, a blackout end time, and a blackouttype indicating at least one of: a predetermined level of the blackoutin the country or region and a predetermined authorization required forthe network scan to proceed; and a control circuit operatively coupledto the network vulnerability scanner, network traffic monitor, and thescanning scheduler, the control circuit configured to: control operationof the network vulnerability scanner; interrupt, delay, or cancel anetwork scan by the network vulnerability scanner when the networktraffic measured by the network traffic monitor exceeds a predeterminedthreshold; and enforce scanning blackout events according to thescanning scheduler.
 2. The system of claim 1, wherein: the networktraffic monitor measures daily traffic in one or more countries orregions; the control circuit determines whether the measured dailytraffic in the one or more countries or regions exceeds predeterminedthresholds for those one or more countries or regions; and the controlcircuit creates a scanning blackout event for those one or morecountries or regions on anniversaries of the dates where the measureddaily traffic exceeded the predetermined thresholds.
 3. The system ofclaim 1, wherein: the control circuit receives input that a network scandisrupted network operations on a certain date in a country or region;and the control circuit creates a scanning blackout event in thatcountry or region on anniversaries of that certain date.
 4. The systemof claim 1, wherein the predetermined level of a blackout comprises oneor more of: all network scans allowed, only manually inputted andnon-recurring network scans allowed, network scans only permitted forcertain departments or portions of the network being scanned, and allnetwork scans blocked.
 5. The system of claim 1, wherein: thepredetermined level of a blackout is one selected from a group oflevels; each blackout type indicates the predetermined level of theblackout for each country or region; and each blackout type furtherrequires a predetermined authorization for the network scan to proceed,the predetermined authorization corresponding to the predetermined levelin each country or region.
 6. The system of claim 1, wherein, followinginterruption, delay, or cancellation of a network scan when measurednetwork traffic exceeds a predetermined threshold: the network trafficmonitor is configured to continue measuring the volume of traffic beingtransferred across the network at predetermined time intervals; and thecontrol circuit is configured to initiate a network scan when both thevolume of traffic no longer exceeds the predetermined threshold and thescanning scheduler does not indicate a blackout event.
 7. The system ofclaim 1, wherein: the network traffic monitor is configured to measurethe volume of traffic being transferred across a network atpredetermined time intervals for a predetermined country or region; thecontrol circuit is configured to determine a rate in the change of thevolume of traffic; and the control circuit is configured to interrupt,delay, or cancel a network scan when the rate in the change of thevolume of traffic exceeds a predetermined threshold rate.
 8. The systemof claim 1, wherein the network vulnerability scanner performs at leastone of the operations of accessing files, querying network ports, andperforming login actions.
 9. The system of claim 1, wherein the networkvulnerability scanner is further configured to evaluate insecurity andvulnerability by: scanning nodes using login credentials on the network;performing a plurality of measurements indicating usage capacity on anode or on the network; and determining one or more of conflictingapplication operations, misconfigurations of the applications, andinternal application vulnerabilities.
 10. The system of claim 1, whereinthe scanning blackout events comprise one or more of peak businesshours, predetermined holidays, and historical times of peak networktransactions.
 11. A method for managing network vulnerability scanningto avoid interference and disruption of network operations, the methodcomprising: providing a network comprising a plurality ofcommunicatively coupled computing devices with applications runningthereon; providing a network vulnerability scanner configured toevaluate insecurity and vulnerability of the network to disruption byoutside actors; providing a network traffic monitor configured tomeasure the volume of traffic being transferred across the network at acertain point in time; creating a scanning scheduler comprising aplurality of scanning blackout events limiting operation of the networkvulnerability scanner, each scanning blackout event including an eventname, an applicable country or region for the blackout, a blackout starttime, a blackout end time, and a blackout type indicating at least oneof: a predetermined level of the blackout in the country or region and apredetermined authorization required for the network scan to proceed;and by a control circuit: controlling operation of the networkvulnerability scanner; interrupting, delaying, or canceling a networkscan by the network vulnerability scanner when the network trafficmeasured by the network traffic monitor exceeds a predeterminedthreshold; and enforcing scanning blackout events according to thescanning scheduler.
 12. The method of claim 11, further comprising: bythe network traffic monitor, measuring daily traffic in one or morecountries or regions; by the control circuit, determining whether themeasured daily traffic in the one or more countries or regions exceedspredetermined thresholds for those one or more countries or regions; andby the control circuit, creating a scanning blackout event for those oneor more countries or regions on anniversaries of the dates where themeasured daily traffic exceeded the predetermined thresholds.
 13. Themethod of claim 11, further comprising: by the control circuit,receiving input that a network scan disrupted network operations on acertain date in a country or region; and by the control circuit,creating a scanning blackout event in that country or region onanniversaries of that certain date.
 14. The method of claim 11, whereinthe predetermined level of a blackout comprises one or more of: allnetwork scans allowed, only manually inputted and non-recurring networkscans allowed, network scans only permitted for certain departments orportions of the network being scanned, and all network scans blocked.15. The method of claim 11, wherein: the predetermined level of ablackout is one selected from a group of levels; each blackout typeindicates the predetermined level of the blackout for each country orregion; and each blackout type further requires a predeterminedauthorization for the network scan to proceed, the predeterminedauthorization corresponding to the predetermined level in each countryor region.
 16. The method of claim 11, further comprising, followinginterruption, delay, or cancellation of a network scan when measurednetwork traffic exceeds a predetermined threshold: by the networktraffic monitor, continuing to measure the volume of traffic beingtransferred across the network at predetermined time intervals; and bythe control circuit, initiating a network scan when both the volume oftraffic no longer exceeds the predetermined threshold and the scanningscheduler does not indicate a blackout event.
 17. The method of claim11, further comprising: by the network traffic monitor, measuring thevolume of traffic being transferred across a network at predeterminedtime intervals for a predetermined country or region; by the controlcircuit, determining a rate in the change of the volume of traffic; andby the control circuit, interrupting, delaying, or canceling a networkscan when the rate in the change of the volume of traffic exceeds apredetermined threshold rate.
 18. The method of claim 11, wherein thenetwork vulnerability scanner performs at least one of the operations ofaccessing files, querying network ports, and performing login actions.19. The method of claim 11, wherein, by the network vulnerabilityscanner, evaluating insecurity and vulnerability by: scanning nodesusing login credentials on the network; performing a plurality ofmeasurements indicating usage capacity on a node or on the network; anddetermining one or more of conflicting application operations,misconfigurations of the applications, and internal applicationvulnerabilities.
 20. The method of claim 11, wherein the scanningblackout events comprise one or more of peak business hours,predetermined holidays, and historical times of peak networktransactions.